Microsoft Defender for Endpoint: Automation defaults are changing

Published 01-17-2021 09:25 AM 10.1K Views
Microsoft

We are excited to announce that we are about to increase our customers’ protection by upgrading the default automation level of our Microsoft Defender for Endpoint customers who have opted into public previews from Semi - require approval for any remediation to Full – remediate threats automatically. 

 

Auto investigation and remediation overview

When an alert is raised in Microsoft Defender for Endpoint, an automated investigation immediately starts running on the machine where the suspicious activity was detected. It begins with an analysis of the malicious entities that are part of the alert and continues with collection and examination of other entities associated with it. The automated investigation inspects files, processes, services, registry keys, and any area that may contain threat-related evidence.

 

The result of an automated investigation started by an alert is a list of related entities found on a device and their verdicts (malicious, suspicious, or clean). For any malicious entity, the investigation will create a remediation action, an action that, when approved, will remove or contain a malicious entity that was found in the investigation. These actions are defined, managed, and executed by Microsoft Defender for Endpoint without the security operations team having to remotely connect to the device.

 

4.jpg

 

Remediation actions are approved or declined according to the device automation level. When it is set to ‘Full’, the remediation action will be approved automatically, without further waiting. When it is set to ‘Semi’, the action will wait for manual approval, which may lead to losing valuable time in which the malware may cause damage and spread to other devices.

 

3.jpg

 

Automated investigation and remediation supports queuing of remediation actions for devices that are not available, so that when they become available, the actions will be triggered immediately. All remediation actions, whether pending, running, or completed, can be viewed in the Action Center. If you’ve determined that a detected device or a file is not actually a threat, you can undo remediation actions that were taken for a specific device or across the entire organization.

 

Empowering defenders with automation by default

When our automated investigation and remediation capabilities were first introduced, the default automation level was set to semi - require approval for any remediation. Since then, we have increased our malware detection accuracy, added the option to undo remediation actions, and improved our automated investigation infrastructure. Throughout this time, we have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions.

 

Data collected and analysed over the past year shows that organizations who are using full automation have had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation also frees up our customers’ critical security resources so they can focus more on their strategic initiatives.

 

In light of the significant benefits of using automatic approval of remediation actions, and after changing the default automation level for new customers, starting February 16, 2021, tenants who have opted in for public previews in the Microsoft Defender for Endpoint will be automatically upgraded to the new default automation level: Full-remediate threats automatically.

 

The new default automation level can be kept (this is recommended) or changed according to your organizational needs. This change does not impact or override device group definitions that were previously set to control automation level.

 

To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on preview features in Microsoft Defender Security Center.

 

If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, sign up for a free trial of Microsoft Defender for Endpoint today.

 

Additional resources:

Create and manage device groups

Automation levels in automated investigation and remediation capabilities

Review and approve remediation actions following an automated investigation

2 Comments
New Contributor

I have a short question about the following: 

Does someone now the Difference between Microsoft Defender for Identiy Sensors and Microsoft Defender Security Center Onboarding. When i have for example a domain controller VM. Do i put the Defender for Identity Sensor on the server and also onboard the server in the MS Defender Security Center? 

 

 

Occasional Contributor

@ejbakker - Yes, to onboard for the Security Center you will have to use the Log Analytics Agent (And with server 2016 or 2019 i belive that you also need to onboard into the DATP portal since it's not synced per auto on these OS, but please correct me if im wrong).

Defender For Identity will use a censor instead of an agent from what i know.

%3CLINGO-SUB%20id%3D%22lingo-sub-2098031%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Endpoint%3A%20Automation%20defaults%20are%20changing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2098031%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20short%20question%20about%20the%20following%3A%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20someone%20now%20the%20Difference%20between%20Microsoft%20Defender%20for%20Identiy%20Sensors%20and%20Microsoft%20Defender%20Security%20Center%20Onboarding.%20When%20i%20have%20for%20example%20a%20domain%20controller%20VM.%20Do%20i%20put%20the%20Defender%20for%20Identity%20Sensor%20on%20the%20server%20and%20also%20onboard%20the%20server%20in%20the%20MS%20Defender%20Security%20Center%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2105369%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Defender%20for%20Endpoint%3A%20Automation%20defaults%20are%20changing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2105369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F909471%22%20target%3D%22_blank%22%3E%40ejbakker%3C%2FA%3E%26nbsp%3B-%20Yes%2C%20to%20onboard%20for%20the%20Security%20Center%20you%20will%20have%20to%20use%20the%20Log%20Analytics%20Agent%20(And%20with%20server%202016%20or%202019%20i%20belive%20that%20you%20also%20need%20to%20onboard%20into%20the%20DATP%20portal%20since%20it's%20not%20synced%20per%20auto%20on%20these%20OS%2C%20but%20please%20correct%20me%20if%20im%20wrong).%3C%2FP%3E%3CP%3EDefender%20For%20Identity%20will%20use%20a%20censor%20instead%20of%20an%20agent%20from%20what%20i%20know.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2068744%22%20slang%3D%22en-US%22%3EMicrosoft%20Defender%20for%20Endpoint%3A%20Automation%20defaults%20are%20changing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2068744%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20announce%20that%20we%20are%20about%20to%20increase%20our%20customers%E2%80%99%20protection%20by%20upgrading%20the%20default%20automation%20level%20of%20our%20Microsoft%20Defender%20for%20Endpoint%20customers%20who%20have%20opted%20into%20public%20previews%20from%20%3CSTRONG%3ESemi%20-%3C%2FSTRONG%3E%20%3CSTRONG%3Erequire%20approval%20for%20any%20remediation%3C%2FSTRONG%3E%20%3CSPAN%3Eto%20%3CSTRONG%3EFull%20%E2%80%93%20remediate%20threats%20automatically%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAuto%20investigation%20and%20remediation%20overview%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20an%20alert%20is%20raised%20in%20Microsoft%20Defender%20for%20Endpoint%2C%20an%20automated%20investigation%20immediately%20starts%20running%20on%20the%20machine%20where%20the%20suspicious%20activity%20was%20detected.%20It%20begins%20with%20an%20analysis%20of%20the%20malicious%20entities%20that%20are%20part%20of%20the%20alert%20and%20continues%20with%20collection%20and%20examination%20of%20other%20entities%20associated%20with%20it.%20The%20automated%20investigation%20inspects%20files%2C%20processes%2C%20services%2C%20registry%20keys%2C%20and%20any%20area%20that%20may%20contain%20threat-related%20evidence.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20result%20of%20an%20automated%20investigation%20started%20by%20an%20alert%20is%20a%20list%20of%20related%20entities%20found%20on%20a%20device%20and%20their%20verdicts%20(malicious%2C%20suspicious%2C%20or%20clean).%20For%20any%20malicious%20entity%2C%20the%20investigation%20will%20create%20a%20remediation%20action%2C%20an%20action%20that%2C%20when%20approved%2C%20will%20remove%20or%20contain%20a%20malicious%20entity%20that%20was%20found%20in%20the%20investigation.%20These%20actions%20are%20defined%2C%20managed%2C%20and%20executed%20by%20Microsoft%20Defender%20for%20Endpoint%20without%20the%20security%20operations%20team%20having%20to%20remotely%20connect%20to%20the%20device.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorisraelcp_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%224.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247093i1233DCD09AA94A86%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%224.jpg%22%20alt%3D%224.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERemediation%20actions%20are%20approved%20or%20declined%20according%20to%20the%20device%20automation%20level.%20When%20it%20is%20set%20to%20%E2%80%98Full%E2%80%99%2C%20the%20remediation%20action%20will%20be%20approved%20automatically%2C%20without%20further%20waiting.%20When%20it%20is%20set%20to%20%E2%80%98Semi%E2%80%99%2C%20the%20action%20will%20wait%20for%20manual%20approval%2C%20which%20may%20lead%20to%20losing%20valuable%20time%20in%20which%20the%20malware%20may%20cause%20damage%20and%20spread%20to%20other%20devices.%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorisraelcp_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%223.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F247092i38C862D860C26A7D%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%223.jpg%22%20alt%3D%223.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAutomated%20investigation%20and%20remediation%20supports%20queuing%20of%20remediation%20actions%20for%20devices%20that%20are%20not%20available%2C%20so%20that%20when%20they%20become%20available%2C%20the%20actions%20will%20be%20triggered%20immediately.%20All%20remediation%20actions%2C%20whether%20pending%2C%20running%2C%20or%20completed%2C%20can%20be%20viewed%20in%20the%20Action%20Center.%20If%20you%E2%80%99ve%20determined%20that%20a%20detected%20device%20or%20a%20file%20is%20not%20actually%20a%20threat%2C%20you%20can%20undo%20remediation%20actions%20that%20were%20taken%20for%20a%20specific%20device%20or%20across%20the%20entire%20organization.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEmpowering%20defenders%20with%20automation%20by%20default%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhen%20our%20automated%20investigation%20and%20remediation%20capabilities%20were%20first%20introduced%2C%20the%20default%20automation%20level%20was%20set%20to%20%3CSTRONG%3Esemi%20-%20require%20approval%20for%20any%20remediation%3C%2FSTRONG%3E.%20Since%20then%2C%20we%20have%20increased%20our%20malware%20detection%20accuracy%2C%20added%20the%20option%20to%20undo%20remediation%20actions%2C%20and%20improved%20our%20automated%20investigation%20infrastructure.%20Throughout%20this%20time%2C%20we%20have%20seen%20thousands%20of%20cases%20where%20organizations%20with%20fully%20automated%20tenants%20have%20successfully%20contained%20and%20remediated%20threats%2C%20while%20other%20companies%2C%20left%20with%20the%20default%20%E2%80%98semi%E2%80%99%20level%2C%20have%20remained%20at%20high%20risk%20due%20to%20lengthy%20pending%20time%20for%20approval%20of%20actions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EData%20collected%20and%20analysed%20over%20the%20past%20year%20shows%20that%20organizations%20who%20are%20using%20full%20automation%20have%20had%2040%25%20more%20high-confidence%20malware%20samples%20removed%20than%20customers%20using%20lower%20levels%20of%20automation.%20Full%20automation%20also%20frees%20up%20our%20customers%E2%80%99%20critical%20security%20resources%20so%20they%20can%20focus%20more%20on%20their%20strategic%20initiatives.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20light%20of%20the%20significant%20benefits%20of%20using%20automatic%20approval%20of%20remediation%20actions%2C%20and%20after%20changing%20the%20default%20automation%20level%20for%20new%20customers%2C%20starting%20February%2016%2C%202021%2C%20tenants%20who%20have%20opted%20in%20for%20public%20previews%20in%20the%20Microsoft%20Defender%20for%20Endpoint%20will%20be%20automatically%20upgraded%20to%20the%20new%20default%20automation%20level%3A%20%3CSTRONG%3EFull-remediate%20threats%20automatically%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20new%20default%20automation%20level%20can%20be%20kept%20(this%20is%20recommended)%20or%20changed%20according%20to%20your%20organizational%20needs.%20%3CSTRONG%3E%3CU%3EThis%20change%20does%20not%20impact%20or%20override%20device%20group%20definitions%20that%20were%20previously%20set%20to%20control%20automation%20level.%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20get%20started%20with%20Microsoft%20Defender%20for%20Endpoint%20public%20preview%20capabilities%2C%20we%20encourage%20customers%20to%20turn%20on%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fpreview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epreview%20features%3C%2FA%3E%26nbsp%3Bin%20Microsoft%20Defender%20Security%20Center.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%E2%80%99re%20not%20yet%20taking%20advantage%20of%20Microsoft%E2%80%99s%20industry%20leading%20optics%20and%20detection%20capabilities%2C%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2FWindowsForBusiness%2Fwindows-atp%3Focid%3Dcx-blog-mmpc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Esign%20up%20for%20a%20free%20trial%3C%2FA%3E%20of%20Microsoft%20Defender%20for%20Endpoint%20today.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAdditional%20resources%3A%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmachine-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECreate%20and%20manage%20device%20groups%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fautomation-levels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAutomation%20levels%20in%20automated%20investigation%20and%20remediation%20capabilities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fmanage-auto-investigation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EReview%20and%20approve%20remediation%20actions%20following%20an%20automated%20investigation%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2068744%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20excited%20to%20announce%20that%20we%20are%20about%20to%20increase%20our%20customers%E2%80%99%20protection%20by%20upgrading%20the%20default%20automation%20level%20of%20our%20Microsoft%20Defender%20for%20Endpoint%20customers%20who%20have%20opted%20into%20public%20previews%20from%20%3CSTRONG%3ESemi%20-%3C%2FSTRONG%3E%20%3CSTRONG%3Erequire%20approval%20for%20any%20remediation%3C%2FSTRONG%3E%20%3CSPAN%3Eto%20%3CSTRONG%3EFull%20%E2%80%93%20remediate%20threats%20automatically%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2068744%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuto%20investigation%20%26amp%3B%20remediation%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎Jun 09 2021 02:52 PM
Updated by: